Remote Side-Channel Attacks on Anonymous Transactions
Total Page:16
File Type:pdf, Size:1020Kb
Remote Side-Channel Attacks on Anonymous Transactions Florian Tramer and Dan Boneh, Stanford University; Kenny Paterson, ETH Zurich https://www.usenix.org/conference/usenixsecurity20/presentation/tramer This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. Remote Side-Channel Attacks on Anonymous Transactions Florian Tramèr∗ Dan Boneh Kenneth G. Paterson Stanford University Stanford University ETH Zürich Abstract Bitcoin’s transaction graph. The same holds for many other Privacy-focused crypto-currencies, such as Zcash or Monero, crypto-currencies. aim to provide strong cryptographic guarantees for transaction For those who want transaction privacy on a public confidentiality and unlinkability. In this paper, we describe blockchain, systems like Zcash [45], Monero [47], and several side-channel attacks that let remote adversaries bypass these others offer differing degrees of unlinkability against a party protections. who records all the transactions in the network. We focus We present a general class of timing side-channel and in this paper on Zcash and Monero, since they are the two traffic-analysis attacks on receiver privacy. These attacks en- largest anonymous crypto-currencies by market capitaliza- able an active remote adversary to identify the (secret) payee tion. However our approach is more generally applicable, and of any transaction in Zcash or Monero. The attacks violate we expect other anonymous crypto-currencies to suffer from the privacy goals of these crypto-currencies by exploiting similar vulnerabilities. side-channel information leaked by the implementation of Zcash and Monero use fairly advanced cryptographic different system components. Specifically, we show that a primitives such as succinct zero-knowledge arguments (zk- remote party can link all transactions that send funds to a SNARKs) [5] and ring signatures [43]. Despite these strong user, by measuring the response time of that user’s P2P node cryptographic protections, some protocol-level attacks on to certain requests. The timing differences are large enough transaction privacy have been found [4, 28, 37] and corrected that the attacks can be mounted remotely over a WAN. We (we discuss these attacks in the related work in Section7). responsibly disclosed the issues to the affected projects, and In this paper we take a different approach to analyzing the they have patched the vulnerabilities. privacy guarantees for anonymous transactions. Rather than We further study the impact of timing side-channels on attacking the abstract protocols, we look at side-channel in- the zero-knowledge proof systems used in these crypto- formation that is leaked by the implementation of different currencies. We observe that in Zcash’s implementation, the components in the system. Specifically, we look at timing side- time to generate a zero-knowledge proof depends on secret channels and traffic patterns, as measured by a remote network transaction data, and in particular on the amount of transacted attacker. We show that, while the abstract zero-knowledge funds. Hence, an adversary capable of measuring proof gen- protocols used in these systems can hide information from eration time could break transaction confidentiality, despite an observer, these protocols are vulnerable to side-channel the proof system’s zero-knowledge property. leakage. Any information leakage can invalidate the zero- Our attacks highlight the dangers of side-channel leakage in knowledge property, and weaken or break the privacy guaran- anonymous crypto-currencies, and the need to systematically tees of anonymous transactions. protect them against such attacks. 1.1 Our results 1 Introduction We describe multiple attacks on transaction privacy in Zcash and Monero that exploit communication patterns or timing Bitcoin, the largest crypto-currency, is not private: several aca- information leaked by different parts of the system. We take demic studies [2,24,34,42,44] and multiple commercial prod- a systematic approach, looking at the life cycle of an anony- ucts [11,12,23] show that one can effectively de-anonymize mous transaction as it traverses the system. At every step, we ∗Part of this work was performed while the first author was visiting ETH look for side-channels and asses their impact on user privacy. Zürich. The life-cycle of an anonymous transaction is shown in USENIX Association 29th USENIX Security Symposium 2739 ① User creates Tx ② Tx is sent into P2P network ③ Wallets process new Txs Wallet with local prover Wallet with local node π Wallet with remote prover Wallet with remote node wallet π Adversary 1a P2P node Adversary 2 Adversary 3 Adversary 1b Figure 1: Side-channels in the anonymous transaction life cycle. (1) A user’s wallet creates a transaction, which involves generating a cryptographic proof. This computation might be performed locally or outsourced to a remote service. (2) The wallet sends the new transaction to a P2P node which propagates it into the network. (3) A P2P node shares a received transaction with a connected wallet; the connection may be local or remote. During transaction creation, Adversary 1a can time an outsourced proof generation to leak some transaction secrets (Section 3.3). When processing a new transaction, a wallet’s behavior may change when it is the transaction’s payee. If the wallet connects to a remote node, this can be inferred by Adversary 1b that observes traffic patterns between the wallet and node, or by Adversary 3 that controls the node. If the wallet and node are co-located, changes in the wallet behavior can be inferred by Adversary 2 that interacts with the user’s P2P node (Section 3.2). Figure 1. First, the transaction is created in the payer’s wal- node was the transaction’s payee or not. This constitutes a let, possibly with the help of a remote server to generate the break of transaction unlinkability. necessary zero-knowledge proof to prove transaction validity. In the second case, we propose the REJECT attack wherein Then the transaction is transmitted through the P2P network. an attacker carefully crafts a malformed transaction, encrypts Finally, the transaction is received by the payee wallet, pos- it under a known (but anonymous) public key, and sends it to sibly with the help of a remote P2P node that records all a target P2P node. If decryption succeeds, then the exception transactions in the P2P network. The payee’s wallet must is triggered, and the target node sends an explicit “reject” scan through all anonymous transactions in the network to message back to the attacker. Receipt of this message then find those transactions of which it is the recipient. tells the attacker that the selected public key belongs to the An attacker can observe side-channel information at each owner of the target P2P node — a breach of anonymity. of these steps and attempt to learn information about the Details of the PING and REJECT attacks are in Section4. transaction, such as: the identity of the intended payee (e.g., their public key, or the IP address of their P2P node), the amount of funds transferred in the transaction, or the source Monero. For Monero, where wallets and nodes are run in of the funds. We next summarize our results. separate processes, we show that receipt of a payment alters the communication pattern between a wallet and its node. If the wallet is connected to a remote node (as is common for Zcash. In Zcash, a user’s wallet and P2P node are run in a mobile wallets or when first syncing with the network), we single process. The wallet checks if it is the payee of every in- show in Section5 that a passive network adversary can infer coming transaction by attempting to decrypt it using its secret if the wallet is the payee of a recent transaction. Furthermore, key. This results in two sources of side-channel leakage: (1) even if the user’s wallet and node are co-located, we show if decryption succeeds and the decrypted transaction (called a that a remote adversary can infer the wallet-to-node commu- Note plaintext) is well-formed, the wallet performs an extra nication pattern by causing and observing lock contention Pedersen commitment check; (2) if decryption succeeds, but over the node’s resources. We validate this timing attack in a the decrypted transaction is malformed, the wallet throws an WAN, where an attacker (located in London) infers if a victim exception that is propagated to the node’s P2P layer. (running a node and wallet in Zürich) receives a payment. In the first case, the time taken to perform the extra Ped- ersen commitment check causes a delay in the P2P node’s For both Zcash and Monero, our attacks enable a remote response to subsequent network messages. Consequently, we adversary to link anonymous transactions by identifying the show an attack, termed PING, which sends a transaction to a P2P node of each transaction payee. As described in Sec- node followed immediately by a “ping” message (a standard tion 3.2, the attacks can be further exploited to: (1) identify keep-alive message in Zcash’s P2P network). The attacker the IP address of a user’s P2P node, given her public key; (2) can use the delay in the ping response to infer whether the break the unlinkability of diversified addresses belonging to 2740 29th USENIX Security Symposium USENIX Association the same user. For Zcash, the attacks further enable to: (3) re- These crypto-currencies build on top of Bitcoin’s so-called motely crash a Zcash node, given the user’s public key, and (4) UTXO model. Each transaction spends outputs from prior create a remote timing side-channel on an (non constant-time) transactions and produces new outputs.